A malware family dubbed ‘KeyRaider’ has stolen over 225,000 iOS account login credentials, mostly from Chinese jailbroken iPhones, according to a report released this week from Palo Alto Networks.

The breach is the biggest so far in the history of iOS devices, and has affected users in 18 countries total. According to the report, up to 20,000 users are taking advantage of the tweaks that use stolen data to download and pay for items from the iTunes App store.

“The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying,” said Palo Alto in a blog post.

“Some victims have reported that their stolen Apple accounts show abnormal app purchasing history and others state that their phones have been held for ransom”

The malware was originally discovered by a student from China’s Yangzhou University along with a member from tech group WeipTech which is affiliated with well-known Chinese Apple fan site Weiphone. The report identified a user of Weiphone’s Cydia Repositories, a service for jailbroken devices, who they believe to be the author of the malware.

Weiphone has cooperated in the past with Palo Alto in identifying Wirelurker, another of the largest attacks to hit iOS devices, again mostly in China. The country is susceptible to malware because the inability to access software on official platforms makes jailbreaking an attractive option for users.

Wirelurker was the first malware of its kind to infect iOS devices that were not jailbroken. At the time Palo Alto Network noted that it was a sign “bad actors are getting more sophisticated.” Wirelurker infected 450 apps on a black market app store and was downloaded over 365,000 times, potentially affecting a similar number of users as KeyRaider.

Palo Alto Network has posted details on how affected iOS users should handle the the KeyRaider malware once it has been identified.